The present state of existing firewalls is such that allowing encrypted data to securely pass between networks, while at the same time allowing a firewall to selectively monitor the encrypted traffic, is not possible.
With the present state of the art, a firewall device is often placed at a network entrance (or perimeter) for security purposes. The firewall device allows selective communications (voice, video, data, etc.) to pass between one network and other networks. Often one network is a public network and the other network is a private network. The firewall is placed between the networks to allow only some traffic into the private network and to block all other traffic in order to protect the private network from, among other things, attack from the public network. For example, the firewall application may only allow remote administration sessions (e.g., via the TELNET protocol) from a particular remote computer with a particular Internet Protocol (IP) address, thus blocking all other TELNET attempts. The firewall may also, for example, only allow connections to the Internet to be initiated by host computers within the private network, and all incoming Internet communication attempts will be blocked unless the session has previously been initiated by the host computer on the private network.
Existing firewalls may also monitor and log traffic passing between two networks. As the firewall is a central “chokepoint” through which all data traffic must pass, it provides one possible place to monitor traffic and log information. The information log, if analyzed in real time, may be used to determine when security violations are being attempted and provide an intrusion detection service. The information log may also be used after the fact (i.e., other than real time) in analyzing security violations and also for prosecuting security violators (e.g., forensic analysis).
Currently there is a growing use of encryption technology for data traffic to protect against unauthorized disclosure of information. Encryption, or more generally, cryptography, is a primary means to provide privacy or confidentiality of information. Existing encryption technology allows the sender of data to encrypt (or encipher) data with, for example, a specific cryptographic key so only those parties with the same specific key can decrypt and recover the original data. If a strong algorithm is used and the key is sufficiently long, it is not possible with existing technology for anyone without this key to recover the original data.
Encryption presents problems for existing firewalls. For example, if encrypted data (transformed and unreadable information—or “secret writing” as is meant by cryptography) is applied to a firewall, the firewall may not be able to monitor, log, or perform specific firewall filtering functions on the data.
One problem caused by encrypted traffic is deciding how the firewall will handle encrypted traffic. In general, existing firewall devices do not pass encrypted traffic and will simply block encrypted traffic. One drawback with this approach is that it limits the types of information that can be passed through the firewall.
Another possible mode of operation for existing firewalls is to allow all encrypted traffic to pass. Allowing all encrypted traffic to pass however severely reduces the security provided by the firewall and may open a large “hole” through the firewall. For example, if an existing firewall allows encrypted traffic to pass it must allow all encrypted traffic. That is, the firewall has no way of selectively allowing some, but not all, traffic to pass. For example, the firewall cannot allow encrypted web traffic to pass yet block encrypted TELNET traffic. In other words, the firewall can not perform it's primary filtering function with encrypted traffic.
In addition, with encrypted traffic, existing firewalls have no way of monitoring or logging the traffic intelligently because the data that the firewall needs to examine and log is encrypted and thus hidden from the firewall. In other words, if encrypted traffic is allowed to pass, the firewall cannot examine the encrypted traffic. All the firewall may do is record the encrypted data verbatim; this has no use without the encryption key. One drawback of this approach is that it prevents security policies from being enforced because the firewall cannot log what is happening in an intelligent manner. Without the encryption key, the firewall does not know what the encrypted data represents and thus cannot create logs associated with the data.
One solution in use today that attempts to address some of the above issues is to use a “security gateway” device in conjunction with the firewall. This approach does not really address the same problem, because the security gateway actually generates and terminates the encryption data and does not solve the problems associated with encrypted traffic originating and terminating at the host computers behind the firewall.
The following description illustrates how a security gateway may attempt to address some of these problems, and the shortcoming of using the security gateway approach. The security gateway may perform encryption and decryption on behalf of the host computers. The security gateway may be a hardware device located after the firewall at the interface between the two networks.
One readily apparent drawback if a security gateway is used, is that additional hardware is required and security gateway devices may be relatively expensive.
Another drawback is that the security gateway does not provide protection of traffic all the way to the host computer. Data is encrypted and decrypted at the security gateway and passed in the clear to the host computer. This is much less secure, especially considering that the majority of security threats occur within the so called “trusted” environment. Since data is not encrypted between the host computer and the firewall however, firewall functionality is not affected.
Other drawbacks of this, and other, systems exist.
In view of the foregoing, it would be desirable to provide a technique for security and cryptography which overcomes the above-described inadequacies and shortcomings. More particularly, it would be desirable to provide a technique for enabling a firewall device to allow encrypted data to securely pass between two networks, and at the same time allow the firewall to selectively monitor the encrypted traffic that is allowed to pass in an efficient and cost effective manner.